For the complete documentation index, see llms.txt. Prefer markdown by appending.mdto documentation URLs or sendingAccept: text/markdown.
Session & origins
Share the web app cookie with the extension, register chrome-extension:// in trustedOrigins, and avoid a second auth stack.
TurboStarter does not implement a full sign-in UI in the extension. Users authenticate on the web app; the extension reuses that session.
That shrinks phishing surface and keeps one place for password, OAuth, and 2FA policies.
Trusted origins
Add your extension id to Better Auth trustedOrigins on the server:
export const auth = betterAuth({
trustedOrigins: [
"chrome-extension://your-extension-id",
// Firefox / Edge ids as needed
],
});Find the id under chrome://extensions (Developer mode). Production builds get a stable id from the store - update trustedOrigins when it changes from your local unpacked id.
Why this matters
Trusted origins block CSRF-style abuse and open redirects. Only extension ids you control should be listed.
Cookie sharing
- User signs in on the web app (HTTPS in production)
- Better Auth sets the session cookie on your app domain
- The extension reads that cookie with the
cookiespermission and your apphost_permissions - API calls from the extension attach the session the same way the web client would
Details and config live in Auth session.
What not to do
- Do not store the session token in
chrome.storageas a long-lived substitute for httpOnly cookies when cookie sharing already works - Do not build a parallel password form in the popup “for convenience”
- Do not log cookie values to analytics or Sentry
- Do not grant
host_permissionsfor unrelated sites “just in case”
Sign-out
Sign-out from the extension should clear the shared session so web and extension stay in sync. Verify both surfaces after you change auth plugins or cookie names.
How is this guide?
Last updated on